Internet Safety
Computer Diseases
Trojan Horses, Viruses & Worms


by Nishant Deshpande


One of the characteristics of living organisms is their susceptibility to disease. A diseased organism typically exhibits a drop in performance, or may act in unusual and sometimes harmful ways.

This article examines how, much like living organisms, computers can become infected by disease. Being a slightly younger industry than medicine, computer scientists are yet to settle on exact classification of the diseases. They are most commonly split up into three catagories; Trojan Horses, Viruses and Worms. These are by no means universal; Some group them all as different types of viruses, while others would not be satisfied with only three catagories. This article uses these catagories for analysis, noting the many similarities and highlighting the differences.


The Trojan Horse


The name Trojan Horse is derived from Greek mythology, from the Iliad by Homer. In the Iliad, Homer describes how the Greek army, after unsuccessfully trying to capture the city of Troy, lift the siege and leave a wooden horse, ostensibly as a gift to the gods of the city. The citizens of Troy accept the gift by pulling it inside the city walls, whereupon Greek soldiers emerge from the horse to capture the city.
What does Greek mythology have to do with Computer diseases? Well, like the Mythical Trojan horse, a Trojan horse program pretends to be a perfectly legitimate program, for example a compiler or file handler, which has access to other users' files. This legitimate-purpose program is however subverted with the objective of violating security constraints.

A malicious programmer would write a 'useful' program (say a file organiser for DOS) and make it publicly available (typically on BBS services). As well as the useful code, the programmer will place code to carry out his own agenda - maybe read/change files, monitor keyboard input and get user passwords. If the programmer is subtle and has enough knowledge, the Trojan Horse may never be found out.

Other subtle ways to spread Trojans exist. Consider a hacker who writes an executable program called 'ls' and places it in a directory defined in the roots path. (Translated from UnixSpeak 'ls' is usually a harmless command to list all files in the current directory; the 'root' is the system supervisor and has complete access to the whole system.) Now when the root switches to this directory and executes the command, the hackers 'ls' executable will be run, with the roots permissions. The program could do anything, such as wipe out all the files on the system.

Most Trojans are the work of a system 'insider' - someone with limited access to a system/information who would like to subvert the system to get further access or confidential information.


Computer Viruses


In medicine from a layman's perspective, a virus is a kind of disease-spreading material that is very small and hard to find, which enters cells and attaches itself to them so that when the cell multiplies so does the virus. Under some circumstances it can explode into action, even destroying the infected organism (or host).
The above definition is a very good guide to the properties of a Computer Virus. A Computer virus is a computer program that is able to replicate itself and transmit copies of itself to other hardware and/or software systems. Each of the copies in turn may self-replicate and affect yet other systems. A computer virus usually attaches itself to an existing program and is therefore permanantly stored with the program.

Typically, a virus is able to recognise an executable file. It can then append its own code to the end of the file, and make small changes to the original code so that each time the original program is executed, the virus code will also be executed.

Unlike a Trojan Horse, however, a virus is constantly looking for further programs to infect. Some viruses may lie dormant for some time; This makes them much harder to detect. They may also be akin to a 'time-bomb' - constantly replicating and infecting other programs until some defined date, on which it will 'explode' (damage the system by modifying/deleting data).

Note that a virus is permanantly stored in the system. It follows that it is not sufficient to simply switch off the system to purge the virus; consequent use of the infected file/executable will re-introduce the virus into the system. Moreover, we cannot be certain when the initial infection took place; so replacing files from the backup may not necessarily help.

Many different types of viruses exist. They are mostly classified according to their different ways of replication and infection. A particular type of virus that has received quite a bit of attention is the Polymorphic (Mutation) Virus.

Polymorphic Viruses (mutation engine viruses) encrypt or scramble their code with each replication so that no copy of the virus appears the same. This makes them extremely difficult to detect with most virus scanners, because scanners to locate a virus rely on a known virus code pattern.

Polymorphic viruses have been inceasing in popularity due to the development of a "Mutation Engine." The Mutation Engine was designed by a person or group called the "Dark Avenger." It was placed on BBS stations with the mutation code available to everyone. It even comes with a set of instructions to make any normal virus into a polymorphic virus.


Worms


"There may be a virus loose on the internet."
Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988
Just after midnight, Nov. 3, 1988, a collection of networks consisting of approximately 60,000 computers, interconnected via the internet, was brought to it's knees by a single Worm program, now famous as the Internet Worm. Approximately 6,000 of the computers succumbed to the attack.

While the worm did not destroy or attempt to destroy any data, it did cause substantial secondary damage by clogging the network to the point that some of the victimized systems were unable to carry out useful work.

What is a Worm Program?

The term "worm" actually comes from a science fiction story called 'The Shockwave Rider' written by John Brunner in 1975. In short, the story is about a totalitarian government that controls its citizens through a powerful computer network. A freedom fighter infests this network with a program called a "tapeworm" forcing the government to shut down the network, thereby destroy its base of power.

A worm is very similar to a computer virus in that it is self-replicating and subverts the system; however it is usually a self-contained program that enters a system via regular communication channels in a network. Once inside the system, it launches a program which searches for other internet locations, infecting them if it can. Thus all machines attached to an infected machine are at risk of attack.

Risk

Any computers attached to the infected machine are at risk. Considering the connectivity of the internet on the whole, this includes a huge number computers whose only defense is the sealing of the security gaps which the worm uses to enter. Secondly, worms can spread with no assistance (as opposed to viruses which must literally be carried from one machine to another). Once the worm discovers an internet connection, all that it must do is download a copy of itself to that location, and continue running as normal.

Another difference in the Worm and the Computer Virus is that a worm normally only exists in the main memory of the system, not in it's permanant store (file system). This means that the ordinary powering down of the system will purge the worm. Note however this does not preclude against subsequent reinfection when the computer is operational again, particularly if the system is connected to an infected network.


Conclusion

A crucial difference between computer diseases and biological diseases is that all three of the diseases described above are man-made. Modern society has learnt to control biological disease; yet new strains of viruses, resistant to man-made cures, evolve all the time. We can expect the same with computer diseases. There will always be someone with enough knowledge to create new kinds of diseases, and use his/her knowledge maliciously. The Polymorphic Virus goes a small way to a true 'evolving' virus. Such a virus could change it's physical appearance (code) and it's actions based completely on external stimuli. This implies some kind of `artificial intelligence'. The very existance of Artificial Intelligence is debatable; Thus a true evolving virus is still a theoretical research area.

The Internet and Computer Diseases

The thought of a Worm spreading all over the world, paralysing all computer systems through the internet is a scenario technophobes love to paint. At first glance it seems a valid concern. But the lack of a universal standard on the Internet acts as it's defense. The internet comprises of a bewildering variety of computer systems; most computer diseases are platform specific - that is, they can only infect certain types of computers (i.e. PC's or Macs or a specific type of Unix). It may not be possible for virus or worm to infiltrate most, or even many, of these different computers.

Man-made disease, Man-made cure

So far, all virus/worm infections have been cured; the offending program has been 'defeated'. In many cases this has involved a lot of time and effort; and considerable damage has been done. But intiutively we feel that there will always be a way to defeat a man-made computer program. Unlike a biological virus where we have no real control - the possibility always exists that we will never find a cure.

Just be careful

There is increasing awareness of computer diseases. Many anti-virus tools exist and new ones are being developed all the time. Thus with adequate protection and general awareness, the likelihood of an infection is quite low. However, perfect security does not exist. There is no such thing as zero risk.


References

1. Title: Software under Siege : Viruses and Worms
Author(s): Leiss, E.L.
Source: Oxford : Elsevier Advanced Technology, 1990
Excellent book for background and basic understanding of Viruses and Worms


1. Title: The Computer Virus Crisis
Author(s): Philip Fites, Peter Johnston, Martin Kratz
Source: New York : Van Nostrand Reinhold, c1992.
Slightly more technical and some information on avoiding viruses and what do do if infected..

1. Title: V.I.R.U.S. protection : vital information resources under siege
Author(s): Kane, Pamela
Source: New York : Bantam, c1989
Information on protection methods.

1. Title: Virus Encyclopedia
Author(s): Anti-Virus Centre, Trend Micro Devices Inc.
Source: http://www.antivirus.com/encyclop.html
Very informative site on all aspects of viruses & worms as well as other good information sources.

1. Title: The Morris Internet Worm
Author(s):
Source: http://www.antivirus.com/encyclop.html
Very informative site on all aspects of viruses & worms as well as other good information sources.

1. Title: NetSafe : Trojan Horses
Author(s): NetSafe
Source: http://www.ozemail.com.au/~netsafe/trojan_download.html
Can download examples of safe Trojan Horses from here